Hi,
are there any SSSD users who actively use a configuration with:
id_provider=local ?
If so, what is your use-case?
We're considering deprecating and eventually removing this provider
upstream. The replacemant for id_provider=local would be id_provider=files:
https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider
which is already under review and later extension of the SSSD's D-Bus
interface to allow manipulating custom user attributes.
My current plan for deprecating the local provider is to only build the
provider and the tools around it if a configure-time flag is provided.
This flag would be disabled by default. Then, if noone complains,
eventually just remove the code.

Hi all,
I noticed a while ago that 1.15.3 was versioned in the repo but I've not
seen anything released? I'm mostly looking on the COPR
(
https://pagure.io/SSSD/sssd/c/012ee7c3fe24a5e75d9b0465268c1bb8187b8337?br...
)
This is purely selfish - I love all that you do, and I'm aware that there
has been some fairly comprehensive infrastructural change.
I'm just waiting on that one fix and have no roadmap visibility :)
cheers
L.
------
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*

Hey All,
We're receiving the following message on an older installation of SSSD
and RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and
got 2" be thrown and if it's fixed in higher SSSD versions.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.

Hey All,
We are connecting a set of servers directly with AD. The AD computer
object is created for the host and is associated to a service account.
This service account works well with other hosts on the same domain.
Since this is a direct SSSD to AD setup, we are using adcli to establish
a connection to AD.
adcli populates a /etc/krb5.keytab file with a number of entries including:
* Added the entries to the keytab:
host/longhostname-host01.xyz.abc.com(a)COMPANY.COM: FILE:/etc/krb5.keytab
and runs successfully, without errors, to completion. However when
starting up sssd, we see the following in the log files:
.
.
[[sssd[ldap_child[11774]]]] [main] (0x0400): ldap_child started.
[[sssd[ldap_child[11774]]]] [main] (0x2000): context initialized
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): total buffer size: 71
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): realm_str size: 12
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got realm_str:
COMPANY.COM
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): princ_str size: 35
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): got princ_str:
host/longhostname-host01.xyz.abc.co
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): keytab_name size: 0
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x1000): lifetime: 86400
[[sssd[ldap_child[11774]]]] [unpack_buffer] (0x0200): Will run as [0][0].
[[sssd[ldap_child[11774]]]] [privileged_krb5_setup] (0x2000): Kerberos
context initialized
[[sssd[ldap_child[11774]]]] [main] (0x2000): Kerberos context initialized
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Trying to become
user [0][0].
[[sssd[ldap_child[11774]]]] [become_user] (0x0200): Already user [0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): Running as [0][0].
[[sssd[ldap_child[11774]]]] [main] (0x2000): getting TGT sync
got princ_str: host/longhostname-host01.xyz.abc.com(a)COMPANY.COM
.
.
Principal name is: [host/longhostname-host01.xyz.abc.com(a)COMPANY.COM]
.
.
followed by:
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219837: Looked up etypes in keytab: des-cbc-crc, des,
des-cbc-crc, rc4-hmac, aes128-cts, aes256-cts
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.219898: Sending request (224 bytes) to COMPANY.COM
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.220151: Initiating TCP connection to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.222555: Sending TCP request to stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226128: Received answer from stream 1.2.3.4:88
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226205: Response was from master KDC
[[sssd[ldap_child[11774]]]] [sss_child_krb5_trace_cb] (0x4000): [11774]
1492661662.226238: Received error from KDC: -1765328378/Client not found
in Kerberos database
Verified that the krb5.keytab has the principal and it matches exactly.
The OS is RHEL 6.7. Wondering if anyone ran into this and what could be
some of the problems that could be causing this? Do we need something
extra to be done on the AD side besides creating the computer object?
We'd take it from there to dig further since I realize I can't provide
all the details without first editing things out as I did above.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.

Hi Team,
I have integrated 'sssd' with ldap server.
I am using 'getent passwd' command to see all users from local and ldap.
I am able to see all users from local. For LDAP, I am only seeing users
which are not root(uid=0,gid=0).
I have below section in [NSS]
[nss]
filter_users = bin
filter_groups = bin
filter_users_in_groups = false
enum_cache_timeout = 5
Can you please help? Please let me know if you need any details from me.
Regards,
Kedar.

Hi guys,
i am running into an issue in which my users lose their name momentarily. I have tried disabling reverse dns, and I have a cron job that restarts sssd every hour as well as checking the id of each username to keep the usernames fresh. Is there something else I can do, or a cache I can enable so it doesn't need to recheck the username after you log in (i know i have been told that sssd cache's everything, so I don't understand, why I would lose the username) ?
thanks,
Thomas